[turbofan] Fix incorrect lowering of CheckNonEmptyString.

For CheckNonEmptyString we not only need to rule out that the input is not the empty string, but also make sure that the input is actually a string, hence we need to do a proper instance type check in the general case. Bug: chromium:949996, chromium:947949, v8:8834, v8:8931, v8:8939, v8:8951 Change-Id: Icc260d735d19337bba4bb71570a6c6385e47c310 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557146 Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#60681}

[turbofan] Fix incorrect lowering of CheckNonEmptyString.
For CheckNonEmptyString we not only need to rule out that the input is not the empty string, but also make sure that the input is actually a string, hence we need to do a proper instance type check in the general case. Bug: chromium:949996, chromium:947949, v8:8834, v8:8931, v8:8939, v8:8951 Change-Id: Icc260d735d19337bba4bb71570a6c6385e47c310 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1557146 Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#60681}
57582090 · Benedikt Meurer · Commit Bot · 5133bbf6 · 57582090 · 57582090
Commit 57582090 authored Apr 08, 2019 by Benedikt Meurer Committed by Commit Bot Apr 08, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 4 deletions

effect-control-linearizer.cc src/compiler/effect-control-linearizer.cc +10 -4

regress-crbug-949996.js test/mjsunit/regress/regress-crbug-949996.js +11 -0

No files found.
--- a/src/compiler/effect-control-linearizer.cc
+++ b/src/compiler/effect-control-linearizer.cc
@@ -1842,10 +1842,16 @@ Node* EffectControlLinearizer::LowerCheckNonEmptyString(Node* node,
                                                        Node* frame_state) {
  Node* value = node->InputAt(0);

-  // The empty string "" is canonicalized.
-  Node* check = __ WordEqual(value, __ EmptyStringConstant());
-  __ DeoptimizeIf(DeoptimizeReason::kWrongInstanceType, VectorSlotPair(), check,
-                  frame_state);
+  Node* value_map = __ LoadField(AccessBuilder::ForMap(), value);
+  Node* value_instance_type =
+      __ LoadField(AccessBuilder::ForMapInstanceType(), value_map);
+
+  Node* check = __ Word32Equal(
+      __ Word32And(value_instance_type,
+                   __ Int32Constant(kIsNotStringMask | kIsEmptyStringMask)),
+      __ Int32Constant(kStringTag | kIsNotEmptyStringTag));
+  __ DeoptimizeIfNot(DeoptimizeReason::kWrongInstanceType, VectorSlotPair(),
+                     check, frame_state);

  return value;
 }

--- a/test/mjsunit/regress/regress-crbug-949996.js
+++ b/test/mjsunit/regress/regress-crbug-949996.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --verify-heap
+
+function foo(x) { return x + "0123456789012"; }
+foo('a');
+foo('\u10D0');
+%OptimizeFunctionOnNextCall(foo);
+foo(null);